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' Abstract 

(N ■ 

^ ^ ' Protocol narrations are widely used in security as semi-formal notations to specify con- 

^ I versations between roles. We define a translation from a protocol narration to the sequences 

. of operations to be performed by each role. Unlike previous works, we reduce this compila- 

tion process to well-known decision problems in formal protocol analysis. This allows one 
to define a natural notion of prudent translation and to reuse many known results from the 
literature in order to cover more crypto-primitives. In particular this work is the first one to 
show how to compile protocols parameterised by the properties of the available operations. 
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Cryptographic protocols are designed to prescribe message exchanges between agents in hostile 
environment in order to guarantee some security properties such as confidentiahty. There are 
many apparently similar ways to describe a given security protocol. However one has to be 
precise when specifying how a message should be interpreted and processed by an agent since 
overlooking subtle details may lead to dramatic flaws. The main issues are the following: 

• What parts of a received message should be extracted and checked by an agent? 

• What actions should be performed by an agent to compute an answer? 



0^ , These questions are often either partially or not at all adressed in common protocol descriptions 

' such as the so-called protocol narrations. A protocol narration is the definition of a cryptographic 

protocol by the intended sequence of messages. For example the well-known Needham-Schroeder 
Public Key protocol is conveniently specified by the following text: 



A^B:enc{{A,Na) ,Kb) 
B^A:enci{Na,Ni,),KA) 
A^B:eiic{Nb,KB) 
where 

A knows A, B, Ka, Kb, K^^ 
B knows A,B,KA,KB,Kg^ 

Protocol narrations are also a textual representation of Message Sequence Charts (MSG), which 
are employed e.g. in RFCs. For more complex protocols, one needs to indicate the internal 
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Client Host 
U =<useriiajne> 

<— s =<salt from passwd f ile> 
Upon identifying himself to the host, the client will receive the 
salt stored on the host under his username. 
a =random() 



V =<stored password verif ier> 
b =random() 

B^{v + g^)%N 



p =<raw password> 
x = SHA{s\SHA{U\" 

S- = (B - c/^)("+"*^)%iV S = {A * v'')''%N 

K =SHA_Interleave(S) K =SHA_lnterleave (S) 

Figure 1: Annotated message sequence chart extracted from the RFC 2945 (SRP Authentication 
and Key Exchange System) 



computations of each participant either by annotating the MSG or by employing the Lowe oper- 
ator |17j or otherwise express internal actions that have to be performed, as in the specification 

of Fig. m 

We claim that all internal computations specified in Figure [1] and more generally most such 
annotations, can be computed automatically from the protocol narration. Our goal in this paper 
is to give an operational semantics to — or, equivalently, to compile — protocol narrations so that 
internal actions (excluding e.g. storing a value in a special list for a use external to the protocol) 
are described. 

Related works Although many works have been dedicated to verifying cryptographic pro- 
tocols in various formalisms, only a few have considered the different problems of extracting 
operational (non ambiguous) role definitions from protocol descriptions. Operational roles are 
expressed as multiset rewrite rules in CAPSL [5D], CASRUL [TS], or sequential processes of 
the spi-calculus with pattern-matching [5]. This extraction is also used for end-point projec- 
tion [181 m] ■ A pioneering work in this area is one by Carlsen [7] that has proposed a system for 
translating protocol narrations into CKT5 [5 , a modal logic of communication, knowledge and 
time. 

Compiling narrations to roles has been extended beyond perfect encryption primitives to 
algebraic theories in [101 [22 ■ We can note that, although these works admit very similar goals, 
all their operational role computations are ad-hoc and lack of a uniform principle. In particular 
they essentially re-implemented previously known techniques. An advantage of j22j is that it 
supports implicit decryption which may lead to more efficient secrecy decision procedures. 

We propose here a uniform approach to role computation that allows us to relate the problem 
to well-known decision results in formal cryptographic protocols analysis, namely the reachability 
problem. Moreover this approach is also used successfully for the automatic computation of 
prudent security wrapper (a.k.a. security tests) for filtering messages received by principals. 
We show how to reduce this computation to known results about the standard notion of static 
equivalence. 
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2 Role-based Protocol Specifications 



First we show how from AUcc& Bob notation we can derive a plain role-based specification. Then 
the specification will be refined in the following Sections. 

2.1 Specification of messages and basic operations 

Terms We consider an infinite set of free constants C and an infinite set of variables X. For 
each signature T {i.e. a set of function symbols with arities), we denote by T(JF) (resp. T(JF, X)) 
the set of terms over C (resp. J-yjCiJX). The former is called the set of ground terms over 
T, while the later is simply called the set of terms over J-. Variables are denoted by x, y, terms 
are denoted by s, t, u, v, and finite sets of terms are written E^F^ and decorations thereof, 
respectively. We abbreviate E\J F hy E,F, the union E U {t] by E, t and E\{t] hy E\ t. 

In a signature T a constant is either a free constant or a function symbol of arity in 
Given a term t we denote by Var(t) the set of variables occurring in t and by Cons(t) the set of 
constants occurring in t. A substitution a is an idempotent mapping from X to T(^, X) such 
that Supp((t) — {x I <t{x) ^ x}, the support of cr, is a finite set. The application of a substitution 
(7 to a term t (resp. a set of terms E) is denoted ta (resp. Ea) and is equal to the term t (resp. 
E) where all variables x have been replaced by the term xa. A substitution a is ground if for 
each X G Supp((T) we have xa e T(J^). 

Operations. Terms are manipulated by applying operations on them. These operations 
are defined by a subset of the signature T called the set of public constructors. A context 
C[xi^ . . . is a term in which all symbols are public and such that its nuUary symbols are 
either public non-free constants or variables. 

Equational theories. An equational presentation £ — {J-, E) is defined by a set E of equations 
u = V with w, u e T(jr, X). The equational theory generated by (J-", E) on T(J^, X) is the smallest 
congruence containing all instances of axioms of E (free constants can also be used for building 
instances). We write s =g t as the congruence relation between two terms s and t. By abuse of 
terminology we also call £ the equational theory generated by the presentation £ when there is 
no ambiguity. This equational theory is introduced in order to specify the effects of operations 
on the messages and the properties of messages. 

Deduction systems. A deduction system is defined by a triple (£,J-,J-p) where £ 
is an equational presentation on a signature J- and J-p a subset of public construc- 
tors in J^. For instance the following deduction system models public key cryptography: 
({dec(enc(x, y), ?/~^) = a;}, {dec(_, _), enc(_, _), _~-^}, {dec(_, _), enc(_, _)}) The equational theory 
is reduced here to a single equation that expresses that one can decrypt a ciphertext when 
the inverse key is available. 

2.2 Role Specification 

We present in this subsection how protocol narrations are transformed into sets of roles. A role 
can be viewed as the projection of the protocol on a principal. The core of a role is a strand 
which is a standard notion in cryptographic protocol modeling 14J. 

A strand is a finite sequence of messages each with label (or polarity) ! or ?. Messages with 
label ! (resp. ?) are said to be "sent" (resp. "received"). A strand is positive iff all its labels are !. 
Given a list of message I = mi, . . . , m„ we write ?l (resp. II) as a short-hand for ?mi, . . . , ?m„, 
(resp. !mi, . . . , !m„). 

Definition 1 A role specification is an expression A{1) : vfi.{S) where A is a name, I is a 
sequence oj constants (called the role parameters^, n is a sequence of constants (called the nonces 
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of the role ), and S is a strand. Given a role r we denote by nonces(r) the nonces ft of r and 
strand(r) the strand S of r. 

Example 1 For example, the initiator of the NSPK protocol is modeled, at this point, with the 
role: 

vNUlNa, lA, IB, 7Ka, 1Kb,1K^\ 

!msg(B, enc((A, 7V„) , Kb)), ?nisg(B, enc((7Va, Nb) , Ka)), 

ImsgiB, encim, Kb))) 

with the equational theory of public key cryptography, plus the equations 
{Tri{{x,y)) = x,TT2{{x,y)) = y}. 

Note that nothing guarantees in general that a protocol defined as a set of roles is executable. 
For instance some analysis is necessary to see whether a role can derive the required inverse 
keys for examining the content of a received ciphertext. We also stress that role specfications do 
not contain any variables. The symbols Na,A, ... in the above example are constants, and the 
messages occurring in the role specification are all ground terms. 

Plain roles extracted from a narration From a protocol narration where each nonce orig- 
inates uniquely we can extract almost directly a set of roles, called plain roles as follows. The 
constants occurring in the initial knowledge of a role are the parameters of the strand describing 
this role. We model this initial knowledge by a sequence of receptions (from an unspecified agent) 
of each term in the initial knowledge. In order to encode narrations we assume that we have 
in the signature three public function symbols msg(_, _), partner (_) and payload(_) satisfying the 
equational theory: 

J partner(msg(x, y)) = x 
\ payload(msg(x,y)) = y 

For every agent name A in the protocol narration, a role specification for A is A{1) : 
:^nonces(5').(?nonces(S'), 7K, S^), where K is such that A knows K occurs in the protocol nar- 
ration, I is the set of constants in K. nonces(S') and strand are computed as follows: 

Computation of S^: Init S'jf = 

On the {n + l)-th line S R : M do 

( Sn,lmsgiR,M) IiA = S 
S^+i^< Sn , ?msg(5, M) If A = i? 

[ Otherwise 

Computation of nonces(A): This set contains each constant N that appears in the strand 
7K, S"^ inside a message labelled ! and such that N does not occur in previous messages 
(with any polarity). 

This computation always extracts role specifications from a given protocol narration and it 
has the property that every constant appears in a received message before appearing in a sent 
message. Since a nonce is to be created within an instance of a role, we reject protocol narrations 
from which the algorithm described above extracts two different roles A and B with nonces(A) n 
nonces(i3) ^ 0. 

Example [1] is a plain role that can be derived by applying the algorithm to the NSPK protocol 
narration. We now define the input of a role specification which informally is the sequence of 
messages sent to a role as defined by the protocol narration. 
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Definition 2 Let r = i^-/V.(^Mi)i<i<„ be a role specification, and let {Ri, . . . , Rk) be the subse- 
quence of the messages Mi labeled with ?. The input of r is denoted input (r) and is the positive 
strand (!i?i, . . . , IRk)- 

In the next section we define a target for tlie compilation of role specifications. Then we 
compute constraints to be satisfied by sent and received messages, and by adding the constraints 
to the specification this one gets executable in the safest way as possible w.r.t. to its initial 
specification. 

3 Operational semantics for roles 

In Section[2]we have defined roles and shown how they can be extracted from protocol narrations. 
In this section we define what an implementation of a role is and in Section!?] we will show how 
to compute such an implementation from a protocol narration. 

Unification systems Intuitively an operational model for a role has to reflect the possible 
manipulations on messages performed by a program implementing the role. These operations 
are specified here by a deduction system V = {£,T,S) where the set of public functions S, a 
subset of the signature J-^ is defined by equations in £. Beside defining function computations, 
the equations £ specify some properties. 

Definition 3 Let £ be an equational theory. An ^-Unification system S is a finite set of equa- 

? 

tions denoted by [ui = Wi)je{i,...,Ti} with terms Ui,Vi £ T{J-,X). R is satisfied by a substitution 
(7 , and we note a ^ S , if for all i £ {1, . . . , n} m^ct =£ Via. 

Active frames We introduce now the set of implementations of a role specification as active 
frames. An active frame extends the role notion by specifying how a message to be sent is 
constructed from already known messages, and how a received message is checked to ascertain 
its conformity w.r.t. already known messages. The notation \vi (resp. 7vi) refers to a message 
stored in variable Vi which is sent (resp. received). 

Definition 4 Given a deduction system V with equational theory £, a P-active frame is a se- 
quence {Ti)i<i<k where 

{\vi with Vi = Ci[vi, . . . (send) 
or 
7vi with Si{vi, . . . , Vi) (receive) 

where Ci[vi, . . . , Vi-i] denotes a context over variables Ui, . . . , Vi^i and Si{vi, . . . ,Vi) denotes a 
£-unification system over variables Vi,...,Vi. Each variable Vi occuring with polarity ? is an 
input variable of the active frame. 

Example 2 The following is an active frame denoted (j)a that can be employed to model the role 
A in the NSPK protocol: 

(?UJV„ ^VKa ' '^■'"Kb : ?«f<:-i ; 

A 

? 

!wms3i withvrnsgi ^ msg{vB , enc{{vA, Vn^) , Vk g)) , 
Ivr with 

!Wmsg2 withVrnsg2 = mSg(wB , enc(7r2 (dec(Ur , I'/f -i ) ) , I'A's ) ) ) 
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Compilation is the computation of an active frame from a role specification such that, when 
receiving messages as intended by the role specification, the active frame emits responses equal 
modulo the equational theory to the responses issued in the role specification. More formally, 
we have the following: 

Definition 5 Let V be a deduction system with equational theory £. Let = {Ti)i<ci<k be an 
active frame, where the Ti 's are as in Definition [7J and where the input variables are ri , . . . , r„ . 
Let s be a positive strand IMi, . . . , !Af„. Let a^^s be the substitution {r^ Mi} and S be the 
union of the £ -unification systems in ip. The evaluation 0/1^9 on s is denoted ip ■ s and is the 
strand (mi, . . . , m^) where: 

( lCi[mi, . . . ,mi_i] If Vi has label ! in Ti 
' |_ Ivia^p^s If Vi has label ? in Ti 

We say that ip accepts s if Sa^^s is satisfiable. 

To simplify notations, the application of a P-context C[xi, . . . , Xn] on a positive strand s = 
{Hi, . . . , !t„) of length n is denoted C ■ s and is the term C[ti, . . . , i„]. 

Example 3 Let r be the role specification of role A in NSPK as given in Ex. Q] and (j)A be the 
active frame of Ex. We have: 

input(r) = {\Na^A^B^KA^KB^K^\\msg{B,eIvc{{Na,Nb),KA))) 

and (pA • input (r) is the strand: 

(INa, 7 A, IB, IK A. 1Kb,1KI\ !msg(S, enc((A, iV,) , Kb)), ?msg(S, enc((iV„ N^) , Ka)), 
!msg(B, enc(7r2(dec(payload(msg(B, enc((A'^a, Nt) , Ka))), Ka^)), Kb)) 

Modulo the equational theory, this .strand is equal to the strand: 

{YNa, ?A, W, IKa, 1Kb,1K^\ !msg(B, enc((A, No) , Kb)), ?msg(S, enc((7V^, Nb) , Ka)), 
\msg{B,enc{Nb,KB)) 

It is not coincidental that in Ex. [3] the strands (p ■ input (r) and strand(r) are equal as it means 
that within the active frame, the sent messages are composed from received ones in such a way 
that when receiving the messages expected in the protocol narration, the role responds with the 
messages intended by the protocol narration. This fact gives us a criterion to define functional 
implementations of a role. 

Definition 6 An active frame p is an implementation of a role specification r if p accepts 
input(r) and p) ■ input(r) —£ strand(r). // a role admits an implementation we say this role is 
executable. 

Example (pa defined above is a possible implementation of the initiator role in NSPK. However 
this implementation does not check the conformity of the messages with the intended patterns, 
e.g. it neither checks that Vr is really an encryption with the public key vka of '"^ pair, nor that 
the first argument of the encrypted pair has the same value as the nonce wjVa- In Section |4] we 
show not only how to compute an active frame when the role specification is executable, but also 
to ensure that all the possible checks are performed. 
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4 Compilation of role specifications 



Usually the compilation of a specification is defined by a compilation algorithm. An originality 
of this work is that we present the result of the compilation as the solution to decision problems. 
This has the advantage of providing for free a notion of prudent implementation as explained 
below. 

4.1 Computation of a "vanilla" implementation 

Let us first present how to compute an implementation of a role specification in which no check 
is performed, as given in the preceding example. To build such an implementation we need 
to compute for every sent message m a context Cm that evaluates to m when applied to the 
previously received ones. This reachability problem is unsolvable in general. Hence we have to 
consider systems that admit a reachability algorithm, formally defined below: 

Definition 7 Given a deduction system V with equational theory £ , a P-reachability algorithm 
A-D computes, given a positive strand s of length n and a term t, a V-context yl-D(s,t) = 
C[xi, . . . ,Xn\ such that C ■ s —g t iff there exists such a context and _L otherwise. 

We will show that several interesting theories admit a reachability algorithm. This algorithm 
can be employed as an oracle to compute the contexts in sent messages and therefore to derive 
an implementation of a role specification r. We thus have the following theorem. 

Tiieorem 1 // there exists a T) -reachability algorithm then it can be decided whether a role 
specifications r is executable and, if so one can compute an implementation ofr. 

Proof sketch. Let r — (^-^i)iG{i,...,n} be an executable role specification. By definition there 
exists an active frame that implements r, i.e. for each sent message Mj, there exists a context 
Ci such that Ci[Mi, . . . , Mi_i] is equal to Mi modulo the equational theory. Thus if there exists 
a X'-reachability algorithm At>, the result Av{Mi, . . . , Mi_i), Mi) cannot be _L by definition. As 
a consequence, A-dUMi, . . . , Mi_i), M^) is a context C'i[xi, . . . , Thus for all index i such 
that Mi is sent we can compute a context C'l that, when applied on previous messages, yields 
the message to send. We thus have an implementation of the role specification. 

4.2 Computation of a prudent implementation 

Computing an active frame is not enough since one would want to model that received messages 
are checked as thoroughly as possible. For instance in Example [Tl a prudent implementation of 
the message reception with 0" should be: 

7vr with 7ri(dec(payload(ur), Vj^-i j) = vn^ A partner(i;r) = vb 

Let us first formalize this by a refinement relation on sequences of messages. We will say a strand 
s refines a strand s' if any observable equality of subterms in strand s can be observed in s' using 
the same tests. To put it formally: 

Definition 8 A positive strand s — (!Mi, . . . , !M„) refines a positive strand s' = {IM[, . . . , !Af^) 
if, for any pair of contexts (Ci[a;i, . . . ,a;„], C2[xi, . . . ,a::„]) one has Ci ■ s' — C2 ■ s' implies 
Ci • s = C2 • s. 
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For instance the strand s — {lenc{enc{a,k'),k),lenc{a,k'),\k,\k',la) refines s' — 
(!enc(enc(a, fc'), fc), !enc(a, /c'), !fc, !fc", !a) since all equalities that can be checked on s' can be 
checked on s. We can now define an implementation to be prudent if every equality satisfied by 
the sequence of messages of the protocol specification is satisfied by any accepted sequence of 
messages. 

Definition 9 Let r be a role specification and ip be an implementation of r. We say that if is 
prudent if any positive strand s accepted by ip is a refinement o/ input (r). 

As we shall see in Section [SJ most deduction systems considered in the context of cryptographic 
protocols analysis have the property that it is possible to compute, given a positive strand, a finite 
set of context pairs that summarizes all possible equalities in the sense of the next definition. 
Let us first introduce a notation: Given a positive strand s we let Pg be the set of context pairs 
(Ci, C2) such that Ci ■ s = C2 ■ s. 

Definition 10 A deduction system V has the finite basis property if for each positive strand s 
one can compute a finite set P/ of pairs of "D-contexts such that, for each positive strand s' : 

Ps C Ps' iff p! c p,, 

Let us now assume that a deduction system V has the finite basis property. There thus exists 
an algorithm A!j){s) that takes a positive strand s as input, computes a finite set P/ of con- 
text pairs {C[xi, . . . , C'[xi, . . . , Xn\) and returns as a result the f-unification system Ss ■ 

|c[a;i, . . . , Xn] = C'[xi, . . . , a;„] | (C, C") £ P/|. For any positive strand s' = (!rni, . . . , of 

length let as' be the substitution {xi 1— > ™i}i<i<n- By definition of Ss we have that Us' |= Ss 
if and only if s' is a refinement of s. Given the preceding definition of At>{s, t), we are now ready 
to present our algorithm for the compilation of role specifications into active frames. 

Algorithm Let r be a role specification with strand(r) = {^Mi, . . . , ^Mn) and let s = 
. . . , IMn). Let us introduce two notations to simplify the writing of the algorithm, i.e. we 
write r{i) to denote the i-th labelled message ^Mi in r, and s* to denote the prefix (!Mi, . . . , IMi) 
of s. Compute, for 1 < i < n: 

y ^ j \v, with Vi = Avis'^'^,M,) If r{i) =\M, 
' I with ^^(s') Ifr(4=?M, 

and return the active frame Lp^. — (Ti)i<j<„. By construction we have the following theorem. 

Tiieorem 2 Let V be a deduction system such that V-ground reachability is decidable and V has 
the finite basis property. Then for any executable role specification r one can compute a prudent 
implementation ip. 

5 Examples and Applications 

Many theories that are relevant to cryptographic protocol design satisfy the hypothesis of The- 
orem [2] For instance let us introduce the convergent subterm theory: 

Definition 11 An equational theory is convergent subterm if it admits a presentation by a set 
of equations £ — IJ"^]^ {h — r.;} such that £ is a convergent set of rules such that each Vi is either 
a proper subterm of U or a ground term. 
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It is known (see e.g. [2]) that reachability is decidable for subterm convergent theories. It 
was proved in [T] that any subterm convergent theory has the finite basis property too. This is 
a consequence of Proposition 11 in [T] that is used by the authors to decide the so-called static 
equivalence property for this class of theories. We give more details in the Appendix. 

Many interesting theories are subterm convergent. For instance consider the Dolev-Yao equa- 
tional theory: 

'^ii{x,y)) = X (Pi) 

7r2{{x,y)) = y (P2) 

'■Jdy < dec{enc{x, y),y ^) = x (D) 

symtest(enc(a;, y), y) = true (Te) 

pairtest((a:,y)) = true (Tp) 

where (Pi) (resp. (P2)) models the projections on the arguments of a pair, {D) models the 
decryption using the inverse key and (Te) (resp. (Tp)) models that anyone knowing a public 
key can test whether a message is encrypted with this key (resp. that anyone can test whether 
a message is a pair.) As a consequence of our Theorem ^ for every protocol expressed with 
functions satisfying this theory we can compute a prudent implementation. 

The equational theory of the eXclusive-OR operator • ® ■ is given by the following set of 
equations £q where is a constant and ©,0 are public functions: 



{x(By)®z = X © (y © z) 

X ®y = y (B X 

© a; = X 

x®x = 



This example can be generalized to monoidal theories as follows. Assume that all symbols 
are pubhc and that the signature of a deduction system is equal to T ={+, 0,hi, . . . , /i„} or 
{+, — ,0, hi, ... , hn} where + is a binary associative-commutative symbol, is the identity for 

the symbol — is unary and satisfies the equation x + {—x) = and /ii, . . . , /i„ (for n > 0) 
are unary commuting homomorphism on + {i.e. such that hi{x + y) ~ hi{x) + hi{y) and 
hi{hj{x)) = hj{hi{x)) for 1 < i,j < n). Let us add to the signature ai, . . . , the constants 
appearing in the protocol narration. 

Reachability for this resulting deduction system is decidable (see e.g. [TT1[T2]). We can also 
show that the deduction system has the finite basis property: Each ground term in the narration 
can be interpreted as an element of the module {Z[Xi, . . . , Xn])'' as follows: 

• [fli] is the vector in which only the i-th coordinate is non-null, and is equal to 1; 

. Mt)j = X, ■ Itl and Ih + 12] = M + M, and [ - t] = - !<]. 

It is routine to check that under these assumptions, we have that: 

1. A context with m holes is interpreted as a linear form mapping {{Z[Xi, . . . ,X„])'^)™ to 
{Z[Xi, . . . , Xn])'' and with coefficients in Z[Xi, . . . , Xn]. These polynomials have positive 
coeflacients whenever — is not a public symbol; 

2. In any case we note that any linear form with coefficients in Z[Xi, . . . , Xn] can be written 
as the difference of two linear forms with positive coefficients. 

Under this interpretation for a positive strand s of length n interpreted as a vector in 
{Z[Xi,...,XnfY and a pair of contexts Ci , C2 we have {Ci-s = Ca-s] iff ([Ci] - [CaDds]) = 0, 
i.e. there is a mapping from P, to the set s* of linear forms / such that /(|s]) = 0. The second 
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remark above shows that this mapping is surjective. Since s* is the first syzygy module [21] of a 
hnear equation, s* is also isomorphic to a submodule of {Z[Xi, . . . , Xn]'')"-. Since Z[Xi, . . . , X„] 
is noetherian this syzygy submodule has a finite generating set 61 , . . . , 6; that can be computed 
by an analogous of Buchberger's algorithm [21] . 

Given another strand s' of the same length, if {61, ... ,6;} C (s')* we have also s* C (s')*. 
In other words we have that s' refines s. We thus obtain an algorithm to compute P/ for any 
strand s that consists in computing a generating set 61, . . . , 6; of s*, write each bi as the difference 
bf — b^ of two linear forms with positive coefficients, and output a set of n pairs of contexts 
Cr) with = bt and [Cn = br for 1 < z < n. 

6 Conclusion 

We have shown how to link the process of compiling protocols to excutable roles with formal 
decision problems. This allows us to extend many known results on compilation to the case of 
protocols that are based on more complex cryptographic primitives, admitting algebraic proper- 
ties that are beyond the usual Dolev Yao ones. 

Moreover if the set of symbols occuring in the protocol can be divided so that each part 
satisfies an equational theory with decidable P-reachability and V has the finite basis property, 
then we can exploit the combination results from [^1 E] to derive the same properties for the 
union of theories. Therefore the protocol can be prudently compiled in this case too. 
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Appendix 

This Appendix has been added to ease the review. We recall some notions and results from [T] 
and explain why they show that any subterm convergent theory has the finite basis property. 

Let i? be a subterm convergent theory. The constant ce introduced in [T] depends only from 
the equational theory E but its exact value is not important for our discussion. The size of a 
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term t is the number of vertices in its DAG representation. It is denoted by \t\. To any positive 
strand s = {IMi, . . . , !M„) we can associate a frame with an empty set of free names in the sense 
of [T]. This frame is {Mi/xi, . . . ,Mn/xn} and wiU be denoted s too (assuming some variable 
enumeration). We wiU reformulate or simplify the results from [J by taking into account the 
fact that there are no nonces in the frames in our case. Note that s can also be viewed as a 
substitution. 

Let st{s) be the set of subterms of s. The set sat{s) (see Definition 3 [1 ) is the minimal set 
such that 

1. Ml, . . . , Mn e sat{s); 

2. if A^i, . . . ,Nk e sat{s) and f{Ni, . . . , Nk) is a subterm of s then f{Ni, . . . , Nk) G sat{s); 

3. if A^i, . . . , TVfe e sat{s) and C[Ni, ...,Nk] ^ M where C is a context, |C| < ce and M in 
st{s) then M G sat{s), 

Also Proposition 9 from [T] shows that for every M € sat{s) there exists a term Cm such that 
\Cm\dag < CE ■ \s\ and Cm ■ s =e M. 

We can now restate Definition 4 from [IJ in our framework: 

Definition 4 The set Eq(s) is the set of couples: 

(Ci [Cmi , ■ • ■ , CMfc ] , C2 [Cm[ , ■ • ■ , Cm/ ] ) 

such that (Ci[Ca/i, • • ■ , Cm J C*2[Cm{, • • ■ ,Cm;]) • s, \Ci\, IC2I < ce and the terms M^^M^ are 
in sat{s). 

Since there are no nonces the set Eq(s) is finite (up to variable renamings). 
We recall Lemma 6 and 7 from [T] with our notations: 

Lemma 8 Let s,s' be two positive strands such that Eq{s) C P^. Then for all contexts Ci,C2 
and for all terms M,,M[ e sat{s) if Ci[Mi, . . . , Mk] = C2[M{, . . . , M/] then Ci[Cmi, • ■ ■ , Ca/ J ■ 
s' C2[Cm;, • ■ ■ ,Cm,'] ■ s'. 

Lemma 9 Let s be a positive strand. For every context Ci, for every Mi e sat{s) for every term 
T such that Ci[Mi, . . . , Mk] ^*e T there is a context C2 and terms M[ G sat{s) such that T — 
C2 [M[ , . . . , M/] and for every positive strand s' such that Eq{s) C we have Ci [Cmi , ■ • ■ , CAh] ' 
s' C2[Cm{, • ■ -Xm;] ■ s'. 

Now we can now extract from Proposition 11 in [1 the part of the proof that shows our 
claim: 

Assume that s, s' are two positive strands and Eq{s) C P'^. Assume that we have an equality: 
M ■ s —E N ■ s. Let T be the common normal form of M • s and TV • s for the rewrite relation 

By Lemma 7 there exists Mi G sat(s) and Cm such that 
T = Cm[Mi, . . . , Mfe] and M • s' ^e CM[CM^ , . . . , CmJ • s'- 
By the same lemma there exists M/ G sat{s) and Cjv such that 
T = CN[Mi . . . ,M/] and N ■ s' =e Cjv[Cm(, ■ ■ • ,Cm/] • s'. 

Since Cm [Mi, . . . , Mk] = Cn[M[, . . . , M[] we derive from Lemma 6 that: 
Cm [Cmi , • • ■ , CMfc ]■ s' =E Cn [Cm{ , Cmi ] • s' 

As a consequence we have M ■ s' — N ■ s' . We can conclude that Ps C P'^. and that the 
deduction system has the finite basis property by defining for all s, P/ to be Eq{s). 
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